Method and device for authenticated access of a station to local data networks in particular radio data networks

ABSTRACT

The invention relates to methods, devices and systems for the authenticated access to a data network by means of a station (WH) compatible with a data network (WLAN), which permit an authentication of the station and user. A device, for example a mobile radio device, is used for the above, which is authenticated in another system. In addition to the authentication, in particular a charging of services in a data network or another communication system (GSM) which is accessible by means of the data network is thus possible.

CLAIM FOR PRIORITY

This application claims priority to International Application No.PCT/EP02/11910, which was published in the German language on May 1,2003, which claims the benefit of priority to German Application No. 10152 572.9 and European Application No. 011 25257.4, which were both filedin German and European languages, respectively.

TECHNICAL FIELD OF THE INVENTION

The invention relates to a method for accessing a data network and to adevice for implementing such a method and to a charging method as aresult of the authentication.

BACKGROUND OF THE INVENTION

A large number of different types of telecommunications and datanetworks for communicating and/or transmitting data are known. Adistinction can be drawn here between two fundamentally different typesof network. There are, on the one hand, the telecommunications networks,for example those conforming to the GSM (Global System for MobileTelecommunications) or the UMTS (Universal Mobile TelecommunicationsSystem) standards, in which subscribers are authenticated and authorizedwhen they sign on to the network concerned. An advantage in networks ofthis type is that as a result of the authentication procedure it is alsopossible to charge for services used. Furthermore, these generallycellular networks offer the opportunity of a high degree of mobilitysince a subscriber can move with his/her station from network cell tonetwork cell. A disadvantage of these types of cellulartelecommunications systems is that the administrative outlay is veryhigh. Also, these telecommunications networks provide only a low datarate for radio interfaces.

There are, on the other hand, data networks which are designed as localarea networks or wireless local area networks (WLAN). Such data networksoffer subscriber stations access that is very easy to administer. Afurther advantage consists in the considerably higher data rate bycomparison with telecommunications networks at the interfaces to thesubscriber station. A disadvantage of data networks of this type,however, is the lack of an authentication facility and consequently alsothe lack of a billing or charging facility.

Currently, especially in the USA and Europe, it is almost exclusivelyproducts based on the IEEE 802.11 family which appear to be prevailingas local area networks with wireless subscriber access, with suitableEthernet terminals already being provided as standard in many computersand portable computers (laptops, notebooks, PDAs, etc.). The radiointerface defined under the IEEE 802.11b standard for accessing localarea networks corresponds functionally to a wired connection to LANswhich have now developed into the office standard. Interface cards forwireless access to local area networks, also referred to as NICs(network interface cards), are from an architectural point of viewproduced like standardized Ethernet cards and with today's operatingsystems can be installed using plug & play. Portable computers arereadily upgradeable with appropriate interface cards unless they havealready been delivered ex works with an integrated terminal for wired orwireless access to local area networks. With the next generations ofoperating systems (e.g. Windows XP from Microsoft) fully integratedsupport for wireless local area networks will be provided.

With data rates of 11 Mbit/s at present and of 50 Mbit/s in future,subscribers will thus be provided with data rates that are considerablyhigher than the data rates which can be offered by the nextthird-generation mobile telecommunications (UMTS). Access to wirelesslocal area networks for high-bit-rate connections is consequentlypreferable for transmitting large quantities of data, especially inconnection with Internet access.

Disadvantageously, the wireless local area networks cannot offer anyauthentication facility for stations or computers not already registeredin the system. However, operators of wireless local area networks, forexample in an airport area, have to offer access for a large number ofdifferent subscribers from different regions. In order to be able toauthenticate a subscriber, the operator of the wireless local areanetwork would have to conclude cross-license agreements with allpossible Internet service providers (ISPs), of which, however, there arecurrently over 60,000 in Germany alone.

Without authenticating subscribers or subscribers' stations, no billingof services used can occur since it is not even known to whom a billcould be sent. Access to wireless local area networks must thereforeeither be offered free of charge or as a prepaid service with payment inadvance by means of credit card billing or the like.

A further facility enabling authentication and billing consists ininvolving a billing company or clearing house which takes responsibilityfor the relevant contacts with as many Internet service providersworldwide as possible. A problem here, however, is that a largeproportion of the revenues of the operator of a wireless local areanetwork has to be transferred to the clearing house. Furthermore, theclearing house has to succeed in being able to contact each actualInternet service provider or at least a large number of Internet serviceproviders, i.e. in concluding a large number of contracts itself. Thissolution, too, is consequently very difficult to manage. With regard tounauthorized access to data networks there is also increasingly theproblem that unauthenticated content is being provided by subscribers ofwireless local area networks. Only authentication could preventextremist information or information that jeopardizes young people frombeing retrieved via the local area networks concerned and via access tothe Internet.

These problems can be solved by the operators of the mobilecommunications networks in a simple way. The cellular mobilecommunications networks have a large subscriber base that can beauthenticated. Furthermore, these mobile communications networks have anaccounting or billing system. By means of international roaming,subscribers who are registered or subscribed with another mobilecommunications network operator can also be serviced and authenticated.Since nowadays a majority of consumers in industrialized countries aremobile telephone subscribers, a mobile communications network operatorcan in principle contact virtually every consumer itself or with the aidof other mobile communications network operators.

Initiatives as to how a mobile communications network operator canintegrated wireless local area network into its own cellular mobilecommunications network are many and various. As the debate stands atpresent, a distinction is drawn between tight and loose coupling. Tightcoupling is defined as full UMTS integration, i.e. one uses only thephysical layer of the wireless local area network, while all higherprotocol layers are taken over from UMTS and adapted. This solution ismeanwhile no longer under discussion as it has proven not to makeeconomic sense and to be technically difficult to implement.

Among the variants of loose coupling currently being debated publiclyare the two infrastructure-based coupling variants (e.g. ETSI BRAN)which are based on the use of a registered identification card (SIM:subscriber identification module) or the RADIUS PROTOCOL (RADIUS: RemoteAccess Dial-In User Access). In the case of the SIM-based variant, a SIMcard is installed in a notebook or a network access card for saidnotebook. The wireless local area network system appears logically as avisitor local register (VLR) of the telecommunications network and isconnected to the telecommunications network via the MAP (mobileapplication part). Economic success for the operator of thetelecommunications network depends greatly, however, on whether infuture every card for accessing wireless local area networks willcontain a SIM card as standard. For this to occur, computermanufacturers and the standardization bodies for data networks andtelecommunications networks would have to develop joint standards or amobile communications network operator would have to subsidize thisspecific type of NIC.

In the case of the RADIUS variant, the telecommunications networkappears as an authentication, authorization and accounting server, as aresult of which no modification of subscriber equipment is necessary.

With regard to currently available hardware, access points (AP) whichare based on the IEEE 802.11b standard are known, as analog modems forconnecting to a telephone line, as ISDN cards for connecting to an Sobus, as DSL modems for connecting to a DSL line, topologically asEthernet bridges with a local area network terminal for connecting to alocal area network and in further embodiments as a cable modem forconnecting to a cable television network and as a router, for examplewith an Ethernet terminal without a bridge function. These access pointsconsist of a radio access section for controlling access to the radiointerface and an interface for connecting to the wiredtelecommunications or data network. The radio access section and theinterface for the line-bound terminal are connected with hardware whichalso provides appropriate configuration management functions, etc.

SUMMARY OF THE INVENTION

The invention provides a method and device for authenticated access tolocal area networks, in particular wireless local area networks, whichsimplify the authentication and in particular facilitate the possibilityof charging for services used with the aid of the local radio network.

In one embodiment of the invention, there is a charging method forstations compatible with a data network, a data network unit, a networkaccess device and charging systems.

Authenticated access is defined as access to a data network, data or thelike, where the accessing station or the operator thereof can beidentified directly or indirectly. Data networks are local area networksin accordance with e.g. IEEE 802.11 or HiperLAN2. Stations compatiblewith a data network are accordingly computers, notebooks and the likewhich have a cable or wireless interface to such a data network. Accesspoints, which are deemed to include hubs, bridges, network cards incomputers and the like, serve as access for such a data network.

The identification information can be a device number, an assignedtelephone number, a password-type character string and the like, whichare assigned to the station or the operator thereof. The identifier,e.g. a password, is provided on the other hand by the data network unittriggering authentication. The transmission path of a short message, acall or the like is listed for example as a path to an authenticateddevice that is protected against manipulation. The transmission ofcharacteristic information to the access point or data network can occure.g. by reading of a mobile telephone display, fax or the like bypersons or else automatically by infrared interfaces or cableconnections.

For determining the authenticity of a subscriber or of a subscriber'sstation, a method is particularly advantageous in which characteristicinformation is transmitted by the data network over a secure path to adevice external to the data network having authentication of subscribersor subscriber stations. The subscriber can transfer the characteristicinformation received on such a device manually after it has been shownon a display or by an automatic interface, e.g. via a cable connectionor an infrared connection to the mobile host or computer. By this means,access can be gained on the one hand to secure authenticationinformation of another system, of which at least the access code of theuniquely assignable device of the system with authentication is known inthe data network. Advantageously, however, access does not have to bedirectly with further network-internal devices of the other system withthe authentication function. The data network and the other system withan authentication function thus remain fully decoupled and enablenonetheless secure authentication of the mobile host or of the stationwith which the data network is being accessed, since the operation ofthis station can be carried out by a uniquely authenticatable subscriberin the other system.

Advantageously, the identifier is randomly generated in the access pointof the data network or of another device of the data network from theavailable standard character set. However, it is also possible for anidentifier to be selected from a list containing a large number ofpasswords so that, to simplify transmission, words in users' normalvocabulary can be used.

The transmission of the identifier to the device in the system withauthentication can be carried out particularly easily by using the shortmessage service (SMS). This procedure can readily be implemented fordata network access in current and future cellular telecommunicationssystems with a very large distribution in the relevant user groups. Thetransmission of the identifier without any direct use of authenticationfunctions in the system external to the data network is thus preferablyunderstood as meaning that the operator of this external network enablesa data transmission comparable with a normal telephone call or a shortmessage transmission.

The transmission of the identifier advantageously occurs without anydirect use of the actual authentication functions in the system externalto the data network.

Direct communication with one or more of the devices and functions ofthe external system is not necessary.

It is particularly advantageous here for the identifier to betransmitted via a mobile station and/or a SIM card of a cellular mobilecommunications system.

After the authentication of the subscriber or of the station accessingthe data network, a recording can be undertaken in the data networkitself of data relevant to charging when the station accesses a certainservice or for a certain period of time via the data network.Advantageously, data relevant to charging that is recorded in this waycan be passed in accordance with a method having an independentinventive embodiment through to a separate central charging office or toa charging center of the system external to the data network.

Methods of this type can be implemented in particular with a local areanetwork or wireless local area network if, in addition to being equippedwith an interface for access by a subscriber's station, an accesscontrol unit having usefully an authentication memory and a firstinterface for access from the data network to an external network, thisnetwork is also equipped with a special access control unit forgenerating an identifier and for emitting this identifier via theexternal network. The identifier can be transmitted via a second networkdevice interface from the external network to the station connected tothe data network, simultaneously enabling authentication of the stationby the access control unit.

Obvious solutions for implementing such a method in a data networkequipped in such a manner are, in particular, modems and network accessdevices which have appropriate interfaces to the data network, e.g. anEthernet terminal, and to the external network, e.g. a telephone line,as well as appropriate hardware and software for implementing anappropriate authentication procedure.

Advantageously, such an access control unit has the devices andfunctions necessary for authentication as well as an interface module,the interface module being designed as a modular device for connectingto at least one external communications system or communications networkwith secure authentication so that replacing the interface module makesit possible to adapt to various types of external networks without anymajor structural outlay.

In the other external communications system or communications networkwith an authentication function, few or no changes are required. Since,with regard to the authentication of a subscriber station accessing awireless local area network, this communications system orcommunications network is used for carrying information relevant toauthentication, no additional outlay is incurred with regard tosubscriber authentication in this external network. The transmission ofcharging information from an access control unit of a wireless localarea network to another external communications system sensibly occursin the format and via the interfaces which are customary for thetransmission of charging-relevant information within this network or tothis network.

Adaptations to different payment systems can take place either in theexternal network or else in the wireless local area network.

The implementation of this method or the introduction of appropriatetechnical equipment is possible with minimum outlay. In particular, evenvery small local area networks or wireless local area networks can beincluded so that the sum total of many small and very smallinstallations form a complete network which potential wireless datanetwork customers can access. In such scenarios, no principal operatorincurring a major financial risk is required, and the investments of theindividual access providers, for example, hairdressing salons,restaurants, airport operators are limited due to the ease ofimplementation. In particular, this also enables mobile communicationsnetwork operators to access such markets, the mobile communicationsnetwork operators themselves being able to provide appropriate access tothe data network or to render third parties' data network access usablefor themselves.

In essence, simple, commercially available mass-produced goods which canbe obtained by the owners of portable computers and the like at low costare used for installation. On account of the limited additionalfunctions and additional equipment required at the data network accesspoints, the installation costs are also low for the data networkoperator and, at less than 500 euros plus monthly Internet access fees,affordable. Even if no charging is undertaken, the use of such a systemis advisable in terms of potential customer relations.

Charging methods can be apportioned particularly well to differentsystems if basic charging information is recorded in a first chargingunit which can be provided cost-effectively and transmitted to a morecost-intensive but in return centrally operable second charging unitwhich, from the basic charging information, determines fees to becharged.

Areas of application are, due to the use of the unlicensed radiofrequency band, private properties, businesses and divisions ofcompanies. While in known systems prior registration and, in the case ofcharging, the involvement of charging companies or entities wasnecessary, under the method presented, authentication and consequentlyunique subscriber identification can be carried out if the data networkcan access another system or network with the appropriate information.In particular, the copyright status of contents in the network can thusalso be checked.

The access to cellular telecommunications networks is particularlyadvantageous since the mobile communications network operators possessthe world's largest current subscriber base, use the world's mostaccepted current form of subscriber authentication and in their chargingplatform possess a simple collection system for third parties.

A further advantageous feature lies in the fact that although the mobilecommunications network operator itself has fully transferredresponsibility for authentication of the access of subscribers andsubscriber devices to a third-party service provider, it can e.g. withmodems or network access devices supply precisely the mechanisms whichenable this service provider to carry out this authentication securelyand reliably in the easiest way.

On the hardware side, it is particularly advantageous to supply theappropriate equipment in the form of a modem, since a subscriber hasonly simple connections to make and can install the device such as anormal modem for access to a telecommunications network himself/herselfeasily and without any major technical outlay.

Particular advantages consequently lie in the fact that two differenttypes of network complement one another in that a high-bit-rate datanetwork can indirectly access functions of a low-bit-ratetelecommunications network with authentication functions. A datanetwork, in particular a wireless data network, can thus autonomouslycarry out authentication of a subscriber's station and be connected tovarious networks for this purpose. The connection to external networkscan be such that, from the viewpoint of the external network, a stationbelonging to that network is accessing or an external device isaccessing a standard interface provided for this external device.

Mobile communications network operators can offer third-party datanetwork providers connection to their payment system and thus withminimum outlay also offer their mobile subscribers access to local areanetworks without being forced themselves to set up access points fordata networks.

In this context, the connection of access control units of wirelesslocal area networks to charging and/or payment systems is advantageous.These systems find use in telecommunications networks, above all howeverin cellular mobile communications networks when charging information isto be transmitted from service providers outside the network. In thisway it is, for example, possible to invoice for the purchase of articlesover the mobile communications network. In such a case, the seller ofarticles uses the subscriber status of the customer with a mobilecommunications network operator so that the purchaser can then settlehis/her account via his/her mobile communications network operatorrather than, for example, via a credit card. Thus, the seller uses thecollection functions which mobile communications network operatorsprovide to third-party service providers. In this process, the seller isunder obligation toward the mobile communications network operator toensure that only charging information from fully authenticatedsubscribers is transmitted. Arrangements to this effect can be regulatede.g. in a contract such that the user (seller) of charging services of amobile communications network operator be basically liable for the sumsof money used. Using these methods, known in the art in other areas,which find use in commercial payment systems, e.g. the Siemens Pay@Oncesystem, it is possible for a mobile communications network operator notonly itself to offer services subject to a charge but also to arrangefor its mobile communications customers to be offered additionalservices by third-parties, companies not belonging to the mobilecommunications network operator (untrusted partners).

A key advantage of the method described consists in the fact thatchargeable access to a local radio network can be offered by thirdparties, whose charging is carried out via the mobile communicationsnetwork, without the mobile communications network operator itselfhaving to provide the devices such as base stations necessary forradio-based local wireless network access.

A mobile communications network operator can thus provide its customerwith access to data networks even where this service is already beingoffered by another third party. It can sell or donate the devices andfunctions required to the third party.

Third-party operators, e.g. content providers, can be motivated to offeraccess to local area networks themselves since these third-partyoperators can in a simple way utilize the authentication and collectionfacility of a mobile communications network.

An independent authentication procedure can usefully be used for theauthentication of the data network operator to a third party as thecharging center or the like.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments will be described in detail below with reference to thedrawings, in which:

FIG. 1 shows components of a data network with a facility for accessingan external, authentication-capable communications system.

FIG. 2 shows the sequence of an authentication method in the system.

FIG. 3 shows diagrammatically a flowchart of the method.

FIG. 4 shows an arrangement for charging.

FIG. 5 shows a modular radio access point.

DETAILED DESCRIPTION OF THE INVENTION

Referring to FIG. 1, a sample local area network, in the preferredembodiment a wireless local area network WLAN, includes a large numberof devices which are connected to one another by means of appropriatelines. The devices include routers and bridges for distributing data toa large number of network devices. While this type of local area networkWLAN can be operated even without a controlling network device if theconnected stations, in particular hosts, computers and the like possessan appropriate functionality for controlling access, in the preferredembodiment the local area network has a DHCP server for allocatingtemporary addresses in accordance with the Internet Protocol (IP).

This DHCP server can be connected directly to a network line or anaccess router AR or be part of such an access router. The local areanetwork also has access points AP for the access of wireless stations tothe local area network. Such wireless stations can be computers,notebooks and the like which are equipped with a radio interface, forexample an NIC (Network Internet Card), i.e. a network access card.Consequently, communication takes place from the station via its networkaccess card NIC and the radio interface V1 configured at one of theaccess points AP to the wireless local area network WLAN.

As an additional component, the wireless local area network WLAN has anetwork interface NI which enables access to a communications networkwith Internet access. The network interface here can advantageously beconnected to the access router AR or also integrated in this accessrouter. Integration is, however, also possible in another computer orthe like connected to the wireless local area network WLAN.

In the method described below for the loose coupling of a wireless localarea network WLAN to a mobile communications network, in the embodimentshown a mobile communications network that conforms to the GSM standard,further devices and functions are accessed. Here, authentication andcharging are decoupled both from one another and from directcommunication with the external GSM network or system. The relevantarchitecture of a preferred wireless local area network system is shownin the symbolic representation sketched below the graphicalrepresentation of the network, which can be coupled to a variety ofnetworks as a result of the decoupling of authentication and charging.Access to PLMN HLR/HSS (Public Land Mobile Network Home LocationRegister/Home Subscriber System), electronic trading systems(eCommerce), ISP AAA (Internet Service Provider AuthenticationAuthorization Accounting), intelligent micropayment network systems (INmicropayment systems), etc. are mentioned as examples in addition toaccess to the GSM.

The connection of these different systems or networks to the datanetwork WLAN is via a network interface which has an appropriateinterface module. The remaining blocks shown in the diagram can be usedunchanged for the various external networks or external systems. Here,the generic modules include a user station or user application, e.g. anotebook with a wireless network card and an Internet browser, a radioaccess unit, e.g. a radio access point conforming to IEEE standard802.11b which is connected to a local area network LAN, an accesscontrol unit or access control function which recognizes whether asubscriber is already authenticated or not and which if necessaryenforces authentication, and an authentication function orauthentication unit which carries out the authentication. Furthermore, acharging function or a charging system can be provided, which charginginformation generates, based on the period of service use, the quantityof data transmitted or the type of service used, subscriber-dependentbilling datasets. Such functions and systems can, however, also beincluded in the network interface.

The generic modules and functions can be used unchanged both in terms oftheir logical functions and with regard to their physical entities. Theterm ‘generic’ is thus deemed to refer, in particular, to a unit whichin terms of its physical design and its logical function can be usedunchanged, independently of an external system to which this genericdevice is connected. The individual devices and functions can beprovided here as devices and functions separate from one another, can becomponents of other network devices or else

be combined in a device referred to hereinafter as a service selectiongateway SSG. The authentication function is designed in the embodimentdescribed below to be provided by a network server or web server.

The sequence of operations in the accessing of a network by a station WHand the corresponding authentication of this station or of the userassigned to this station is also described with reference to FIGS. 2 and3. In a first step S1, the subscriber's station WH obtains via the radiointerface V1 a wireless access to the access point AP of the wirelesslocal area network WLAN, which is installed for example at an airport.After the assignment by the DHCP server of an IP (Internet Protocol)address to be used for access by the station WH in accordance withstandardized functions for local area networks, the authentication istriggered when a service, e.g. Internet access, is accessed for thefirst time using the IP address or the globally unique MAC (MediumAccess Control) address specific to the network access card.

The access control function or access control unit has a memory in whicha list is held scheduling which IP addresses WH-IP or MAC addressesWH-MAC are already listed as authenticated subscribers or authenticatedsubscriber stations (step S2).

If it is ascertained in a step S3 that the checked IP address WH-IP orMAC address WH-MAC belongs to a previously authenticated subscriber orsubscriber terminal, access to the required services which are beingoffered with the aid of or by the local area network is cleared.Otherwise, access can, for example, be restricted to free localservices, for example departure boards at airports, or any data accessdisabled or a fresh authentication procedure started.

For non-authenticated IP or MAC addresses, the service selection gatewaySSG or the access control unit located therein imports in place of therequired Internet page a portal page which prompts the subscriber oroperator of the station WH to enter unique identification features, e.g.username and password. These parameters are used for authentication. Ifthis is successful, then the access control function is instructed toclear the subscriber, i.e. to allow him/her access to the requiredInternet page, so that the subscriber has free access to the requiredservice or the Internet.

When the portal page is transmitted in a step S4, in particular anaccess number for a telephone, in particular a cellular telephone of thesubscriber, can be requested in addition to or instead of the uniqueidentification features. After the access number or telephone number(mobile directory number) has been input in a step S5 by the subscriberor operator of the station WH, the identification number or telephonenumber is sent via the access point AP to the service selection gatewaySSG in a step S6.

In a subsequent step S7, the service selection gateway generates, in theevent that authentication is possible with the details given but atelephone number of this type is specified, a password. The password istransmitted as an identifier to the appropriate telephone via theappropriate communications network assigned to the telephone number.Other suitable data terminals, for example fax machines, can be usedinstead of a telephone. It is essential that the identifier betransmitted via a telecommunications network, data network or systemwhich permits a unique and reliable assignment of subscribers, in whichnetwork or system a certain person is uniquely assigned to the specifiedtelephone number as a subscriber or as a certain data terminal. Theidentifier can and is directed to this person.

In the embodiment shown, the identifier is transmitted in a step S8 b asa short message service SMS via a telecommunications network to a mobilestation, in particular a cellular telephone of the GSM network with theassigned mobile directory number MSISDN. In parallel with this, apassword request is sent in a step S8 a as a portal page to the stationWH.

In a next step S9, the subscriber reads off the identifier from his/hercellular telephone and inputs said information into his/her station WH.After it has been confirmed, the identifier or this password is sent ina step S10 by the station WH via the access point AP to the serviceselection gateway SSG.

In the next step S11, a check is made in the service selection gatewaySSG as to whether the identifier or the password matches the passwordoriginally generated and issued or has been changed in a permissiblemanner, for example, by means of encryptions. If not, an error messageis output in step S12 to the station WH and the procedure terminated ora repeat request for authentication information is initiated in step S4.

If in step S11 the identifier is ok, the station WH is cleared in stepS13 for the requested or permitted access to special services and/or theInternet. A restriction of the call duration can be provided for here.

Optionally, a recording of charging information can also be initiated ina step S14. Such charging information is transmitted in a step S15 to anappropriate charging service e.g. of a third party or of the operator ofthe network or system used for the authentication (step S15).

A random method can be used when selecting the password or theidentifier, but it is also possible to use a memory containing a largenumber of terms from which one term is selected on a random basis ineach case and transmitted via the authentication-capable network orsystem.

Alternatively or additionally, passwords can be preset, for example forairport officials at an airport, which passwords can be entered bysubscribers as part of the authentication procedure either directly or,for example in the event of their having been forgotten, in order for itto be possible for them to be resent to them.

In summary, the subscriber or operator of a station WH to be connectedto the wireless local area network WLAN enters instead of a passwordhis/her mobile directory number (MSISDN) in the portal page, theauthentication function generates a password and sends this password asan identifier by short message service SMS to a mobileradiocommunication terminal (GSM terminal). The subscriber transmits thepassword received to the station and can thus be uniquely authenticatedby the authentication function in the service selection gateway SSG.

In this way, while the operator of the data network has only onetelephone number as a possible unique assignment to the subscriber, afurther assignment to the subscriber is possible, if needed, e.g. ifpersonal address data is specified incorrectly by the station user, bymeans of an appropriate later access to the databases of thetelecommunications system. By this means, the subscriber is ultimately,and in the most reliable and trustworthy manner currently known, alsoauthenticated for the authentication function of the wireless local areanetwork. Furthermore, it is possible to invoice the subscriber for anycharging information via a charging service used as an intermediary, acorresponding charging organization or the operator of the mobilecommunications network. In particular, a fiduciary relationship has onlyto exist between the authentication server and the telecommunicationsnetwork which was used as an intermediary for the authentication, butnot between the subscriber and the operator of the data network.

A wallet server can also be used as an intermediary chargingorganization or charging service, which wallet server functions in themanner of a collection agency. The use of the mobile communicationssystem hereinbefore is only a means to the end of authentication and isnot intended to exclude any other type of network connection.

The authentication function and the access control function can beaccommodated in one entity, e.g. a computer, but can also be providedseparately in a central and/or multiple satellite devices. This isillustrated in the Figures by means of the division into a web serveri-noc for carrying out the authentication and an access unit i-satcontaining the access control unit. The radio access unit and the accesscontrol unit record among other things information for charging.

If the authentication function is set up in an independent device i-noc,such an authentication device i-noc can also supply multiple accesscontrol units i-sat. In particular, it is then advantageous to installthe authentication device i-noc at a location close to or in an externalnetwork with a reliable independent authentication function or with theoperator of a charging system, e.g. with the operator of the mobilecommunications network GSM or a broker. This enables provision of acostly authentication device i-noc at a central location and theconnection of a large number of readily configured and cost-effectiveaccess control units i-sat in individual local networks WLAN or accesspoints AP. Advisably, a secure IP-based connection conforming to e.g.RADIUS or HTTP-S (Hypertext Transmission Protocol-Secure) is establishedfor the connection between separate access control units i-sat and anauthentication device i-noc.

In addition to the transmission of charging information to a so-calledwallet server, the charging information can also be transmitted directlyto the operator for example of a mobile communications network used forthe authentication; charging or payment platforms available there can beused. Payment platforms exist for example as intelligent networkfunctions for micropayment solutions. Such a charging method isdescribed below with reference to FIG. 4.

Currently standard mobile communications networks have an intelligentnetwork (IN) with the aid of which they can offer help services orsupplementary services for their mobile telephony customers, e.g. callforwarding to a voice mailbox. These systems generally consist of aservice switching point SSP and a service control point SCP. The formerrecognizes for example from the call number dialed that an IN service isrequired, the latter recognizes the required service and enables theprovision and charging of the same. Service control points SCP aregenerally implemented on server platforms.

Mobile communications network operators can now give third partiesaccess to this generally very complex system if third parties would liketo offer their own services and to use the mobile communications networkoperator's payment system as a type of collection system, which is wherethe term micropayment stems from. To this end, the connection isprovided to a payment platform or a payment server, the interface beingbased upon a simple, generally IP-based, protocol, rather than usingcomplex protocols which conform for example with CCS7 or INAP. In such asystem, however, exactly the same problem of trust arises as in theprior art. If the seller of services or of data network access connectsto such a charging system and is at the same time a wholly ownedsubsidiary of a mobile communications network operator, then chargingrequests from the seller can be accepted. The seller is then given anaccount in the payment server. However, if the seller is not atrustworthy seller, e.g. an unknown data network operator, then a walletserver is generally used as an intermediary. This wallet server canthen, in addition to banks or trustworthy sellers, transmit invoicesdirect to the mobile communications network operator's payment system orcharging system.

To facilitate this, the web server in the embodiment hereinabove issupplemented by an appropriate extended network interface. By thismeans, charging information can be transmitted inserted in appropriatemessages of the mobile communications collection system.

In order to be able to determine the end of the charging, an overridecan be made to IN services, for example a weather service, which enablea time-out.

Using the procedure and devices described hereinabove, a wireless localarea network can autonomously carry out authentications of connectedstations or of subscribers assigned to these stations, it being possiblefor authentication information to be used from various differentnetworks and systems with appropriately secure authenticationfacilities. A mobile communications network operator can connectexternal suppliers of local area networks to its charging or paymentsystem and thus with minimum outlay offer its own mobile communicationscustomers access to local area networks without itself being compelledto provide access points and data networks. Furthermore, a mobilecommunications network operator can obtain access to local area networksfor its customers even at locations where this service is already beingoffered by another third party, by selling or donating to this thirdparty the necessary devices and software functions. Moreover,third-party operators, e.g. content providers can be motivated to offeraccess facilities to wireless local area networks themselves since thesecan also exploit the mobile communications network's facility forauthentication and thus for collection.

Referring to FIG. 5, a particularly preferred radio access pointconsists of a modular device. A radio element serves to connect externalwireless stations to a wireless local area network conforming e.g. tothe Ethernet standard. A modem element is also connected to the Ethernetline. The modem element has the devices and functions of the serviceselection gateway, i.e. the access control unit and function, a call orconnection section and modularly replaceable interface devices forconnecting to an external communications system or network. A modulardevice configured in this way conceals the service functionality, lookslike a modem and offers, depending on the structural configuration,facilities for connecting to a large number of different types ofcommunications systems and networks, such as e.g. ISDN or DSL. Theaforementioned connection facilities serve not only the authenticationdescribed hereinabove, but also to provide an Internet access or otherphysical connections between the different types of systems. The variousnetwork types can thus be connected to the external interface, wherebyaccess for sending short messages SMS to a mobile telephone in the GSMnetwork can be via a 2 Mbit line of an interposed IP backbone.

1. A method for authenticated access by a station compatible with a datanetwork, where access of the station is to an access point for such adata network, comprising: transmitting identification information to theaccess point; providing and transmitting a password via an interface toan authenticated device of a system or network external to the accesspoint, having an authenticating function, whereby the identificationinformation is directly assigned to the device authenticated in theexternal system or network and access to data of the authenticateddevice is available at a location of the station or of the access point;transferring the password sent to the authenticated device from theauthenticated device to the station; based on the password received atthe station, the station transmitting an attempted copy of the passwordto the access point; comparing the attempted copy of the passwordreceived from the station by the access point with the password sent tothe authenticated device; and if the comparison is positive, enablingaccess of the station to at least some services and functions at theaccess-point end or at the network end.
 2. The method according to claim1, wherein the password is randomly generated or is randomly selectedfrom a list with a large number of redefined passwords or another entityat the access-point end or at the network end.
 3. The method accordingto claim 1, wherein the transmission of the password is carried out by ashort message service.
 4. The method according to claim 1, wherein thetransmission of the password is carried out by an indirect use ofauthentication functions in the system or network external to the accesspoint or data network with the authenticated device.
 5. The methodaccording to claim 1, wherein a mobile station or a subscriberidentification card of a cellular mobile radio communication system isused as the authenticated device of the system or network external tothe access point or data network.
 6. The method according to claim 1,wherein after authentication of the station compatible with the datanetwork, the station accessing the access point to the data network,data relevant to charging is recorded at the access-point end or in adata network at the access-point end by the or an independent entitywhen the station accesses the access point, the data network and/orservices.
 7. The method according to claim 6, wherein in a firstcharging unit basic charging information is recorded and transmitted toa second charging unit which determines from the basic charginginformation charges to be billed.
 8. The method according to claim 6,wherein the data relevant to charging is forwarded to an externalcharging entity of a third party or to a charging unit, interposed forauthentication, of the system or network external to the access point orexternal to the data network, wherein either the third party and thecharging unit are not involved in the authentication procedure or theauthentication procedure is carried out independently of the chargingmethod autonomously between the station and the access point or theentity at the access-point end.
 9. The method according to claim 6,wherein charging information of a charging-relevant connection occurs ascharging access to an IN-based payment system.
 10. A data network,comprising: at least one interface-type access point for access to thedata network by stations compatible with the data network at thesubscriber end; an access control unit with an authentication memory inwhich authorized stations are registered; and a first external networkinterface for access by the data network to an external system ornetwork that is incompatible with the data network, wherein the accesscontrol unit is configured to generate a password and to transmit thepassword via the external system or network to an authenticated deviceof the external network, wherein the authenticated device is configuredto provide the password to the station, wherein, in response toreceiving the password from the authenticated device, the station isconfigured to transmit an attempted copy of the password to the accesscontrol unit; and wherein the access control unit is configured tocompare the attempted copy of the password transmitted to theauthenticated device with the password received from the station.